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^ (54) Title: S YSIEM AND METHOD OF BOOTSTRAPPING A TEMPORARY PUBUC -KEY INFRASTRUCTURE FROM A 
3 CELLUIjyiTELECOMMUMCATrON AUTHENTICATION AND BHJJNG 

^ (57) Abstract: A system, method and computer program for ordering, paying for and delivering goods and services through the use 
^ of certificates. These certificates insure that the buyer is only bill^ once for the good or service purchased and only for the correct 
^ amount This system, method and computer program employs the authentication center used to enable access to a telecommunication 
^ infrastructure to bootstrap a public-key infrastiuctune. This system, method and computer jrogram will validate the identity of the 

mobile station being used utilizing log term keys stored in the mobile station and an authentication center. Tbe system, method and 
jgl computer program will then utilize these keys and variables to generate digital certificates and signatures which enable the purchase 

of goods and services using a mobile station. The gateway will then verify the authenticity of any charges made based on the digital 
^ certificates and signatures received. Thus, a user of this system, method and computer program can purchase goods and services 
^ without fear of fraud or errors. This mobile station may be a cellular phone and when used with this system, method and computer 
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SYSTEM AND METHOD OF BOOTSTRAPPING A TEMPORARY PUBLIC .KEY 
INFRASTRUCTURE FROM A CELLULAR TELECOMMUNICATION 
AUTHENTICATION AND BILLING INFRASTRUCTURE 

TECHNICAL FIELD 

The invention relates to a system and xnethod ofbootstrapping a public -key infifastnicture to enable 
secure payment of goods and services using a mobile tensinaL More particularly, Ifae invention is a system 
and method in which subscribers of a cellular telecommunication system can buy goods and services fiom 
sellers and airange for payment through the subscriber's te]q3hone bill using a mobile tenninal which 
^isures that OTors and fiBud do not take place relating to the payment. 

BACKGROUND ART - 
It has been common for buyers to pay for.goods ai^d sendees using credit and debit cards. The use 
of credit cards has eliminated the need to cany laige amounts of cash in order to pay for these goods and 
services. Fur&er, fhc use of a credit card has eliminated the need for car rental agencies and hotels to 
require large deposits in order to assure return of vehicles or to reserve rocnns. Thus, the use of credit cards 
has fecilitated the transacting of business and thus provides a significant convenience to die buyer. 
However, credit cards have also facilitated the occurrence of fiaud and errors in which the customer is 
double billed for flie same item or billed fte inconect amount 

With the explosion in Internet access and usage, an increasing vohme of business is occunijag 
between individuals and firms, who have never seen each o&er, let alone e ngaged in any prior business 
transactions. Currently, a typical Internet user would have a browser installed in his local conq^niter or 
server such as Internet Explorer™ or Netscape™. Using this browser, the user would access an Internet 
service provider, such as America-Qn-Une (AOL™), via a modem over the local public switched 
telephone network (PSTN). Once logged onto the Internet servo; the user may utilize one of the many 
search engmes, such as Yahoo™ or Lycos™, to specify search terms. The user may also use a web 
crawler, spider or robot to attempt to find a product, service or information desired. The search engine or 
web crawler would then respond with a list of web sites which matched the search terms the userprovided. 
The user would then log onto a web site and view the products or services available for sale. If the user 
decides to buy the item 6om the web site, the fam operating the web site would again finequently request a 
credit card number be entered by the user in order to pay f or die product or service. Once the credit card 
charge is approved, the operator of ihe web site will then typically ship the item to the user. In the case 
where the item ordered is digital in fomiat, such as software, graphics, text, video, or music, th e item 
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ordered maybe downloaded into the nsei=s PC, server, lap top, palm computer or other processor -based 
system. • 

With the advent of cellular phones with and without wireless access protocol (WAP), a user may 
also Asurf@ the Internet and order goods and services directly througih the WAP -capable phone or a 
process(»'-based system connected to the cellular phone in a similar manner as that used with a PC Thus, a 
user may order goods and sen^ices from anywhere with a cellular phone, satellite phone, or ot her type of 
mobile station. Therefore, a person could be sitting in the middle of a remote area, mapy miles away from 
ano&er human being, let alone a telephone line, and order a video game from a web site on the ofter side 
of the planet and download it into his pafan compute coimected to a cellular or a standalone WAP or 
HTML (Hypertext Markup Language) capable phone and play the game on the spot 

However, the user or consumer may not Icnow who is operating the web site and may have a 
legitimate fear of supplying a credit card number over the Internet to a stranger who may or may not 
deliver the desired product Further, the user may be concerned &at die agreed vpan price will not be the 
price actually charged to his credit card even when fte buyer is d ealing duectly in a face to &ce transacdon 
wiOi the seller. In addition, there is also the possibility even in a face to face transaction that tbebuyermay 
be double billed for the same item. Also, in an Internet transaction thm is no guarantee fha t the goods will 
be delivered if the web site operator is less than honest 

Credit card compaaies have attempted to resolve the issues related to double billing or billing the 
incorrect amount by providing dispute resolution services in which a customer ma y challenge a charged 
■ amount and the credit card con^any will launch an investigation. However, such an investigation may 
take a long time and the buyer is not guaranteed of a satisfitctory resolution. In the case of fraud due to a 
stolen credit card, the credit card con^any will normally limit liabOity if the card is pron^tly reported as 
stolen. In the case of a debit card, the bank may not be required to limit liability in case of loss or theft. 

Other methods utilized to prevent fraud and error in com meresal transactioos has been toougb&e 
use ofdigital signatures diat may not be repudiated. Inpublickeysystems,anentitycalledtfaecertification . 
authority (CA) p^onns two central functions: issuance and revocation of c^tificates. A certificat e is used 
to connect a name or an authorization, such as perniissiosi to make purchases, to a public signature 
verification key. The certificate is signed by tfie CA To verify the certificate an auttientic copy of CA's 
public signature verification key is required. For sample, assuming a person or entity has the public key 
of a certain CA (CAl). This person or entity can veriiy certificates issued by a certain CA (CA2), only if 
CA2*s public key has been certified by CAl : This type of cross -certification of CAs is referred to as a 
"j>ubhc key infi^structure" (PKI). Thus, in order for digital signatures to have widespread usage such 
digital signatures require the presence of a global PKI which is difficult to develop since it requires 
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contracts and agreements between a large number of parties; Attempts to create such a global PKl system 
have so far met with failure. Public key c^ficates and cross certification are discussed in iurfher detail in 
Section 13.4.2 "public key certificates" and Section 13.6.2 ''Trust models involving nniltiple ceilification 
authorities" of Handbook of Applied Cryptography bv A. J. Menezes et al., CRC Press 1997. ISBN 0 - 
8493-8S23-7, which are incoiporated herein by reference. 

. . Therefore, what is needed are a system and method which allows a user or consumer to pay ibr 
goods and services while ensuring that an hacker or criminal may not listen in. or tap into a payment 
transaction between a legitimate buyer and seller and later use this knowledge to make purchases iKduch axe 
charged to the legitimate user. This system and mefttod should further not allow the legitimate user fit)m 
repudiating legitimate charges he has made. This -sj^tem and method should also prevent a seller fiom 
forging payment transactions in the name of a legitimate ccmsumer. This system and method should also 
not require the establishment of a new infirastructure in order to operate jiroperly. 

PISaOSVJRE OF JNVgNTlON 
. An embodiment of the present invention provides a method of ordesing, paying for and delivering 
goods and services using a mobile station. This method starts by authenticating (he mc^ile station is 
permitted access to a telecom infrastructure! It then accesses a gateway by the mobile station and transmits 
an identification code fortbemobile station to the gateway. This method then requests a digital certificate 
by the mobile station from the gateway used for ordering and paying for a product or service from a seller 
using the certificate. The method then verifies the identity of the mobile station b y the gateway accessing 
an authentication center and coniparing variables computed by the mobile station and variables conoputed 
by the gateway. It then verifies the legitimacy of the gateway by comparing tiie variables computed by the 
gateway witib the variables computed by the mobile station. The method delivers a digital certificate to the 
mobile station by the gateway when the identity of Ae mobile station and the gateway have been verified. 
It then requests a product or service from a seller and transm its a digital signature^ accoaqianied by the 
digital certificate for the signature verification key, as payment to the seller. . 

Further, an embodiment of the present invention creates a system and computer program for 
ordering, paying for and delivering goods and services using a mobile station. This system and computer 
program uses a GSM authentication module to veri^ that the mobile station belongs to a user that can be 
billed. It also has a mobile station certificate acquisition module to request a dig ital certificate for the 
mobile station £rom a gateway and verify that the gateway is authorized to issue tibe digital certificate by 
comparing variables computed by the gateway and fiie mobile station. The system and method also has a 
gateway certificate generation module to veriiy that the mobile station is authorized. This module also 
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transmits an intemaliona] mobile subscriber identifierreceived from the mobfle station to an authentication 
center, and receives inforaaation using which it can verily the authenticity of the mobile station by means 
of a cballenge-xesponseprotocol. Once verified, this module generates and issues a digital certificate to the 
mobile station. 

Thes e and other features of this device and method will become more apparent firom t he following 
description .'when taken in connection with the accompanying drawings which show, for jpuiposes of 
illustration only, examples in accordance with flie present invention; , 

WtWF DESCRIPTTQN OF THE DRAWINGS 
. The f<TCgomg and a better understanding of the present invention mil become apparent fi-om tibe 
following detailed desaiption of exemplary embodiments and flie claims vfbm read in connectian with the 
accompanying drawings, ali forming a part of the disclosure of this invention. While the foregoin g and 
followmg written and illustrated disclosure focuses on disclosing exanaple embodiments of the invention, it 
should be understood that the same is by way of illustration and example only and the inv^tion is not 
limited thereto. The spirit and scope of the present invention are limited only by the temis of the appended 
claims. 

1,1 

The following represents brief descriptions of flie drawings, wherein: 
FIG. 1 is an example of an overall system diagram of an embodiment of the present invration; 
FIG. 2 is a diagram of the messages passed between a mobile station, a gateway, and a home 
location register (HLR) that contains or is connected to an au&entication crater. (AUQ so that the buyer 
maybe authenticated and ultimately receive a certificate which may be used to purchase goods and 
services; 

FIG. 3 is a flowchart of the mobile stations certificate acquisition module shown in FIG. 12 as 
utilized in an embodiment of the present invention; 

FIG. 4 is diagram showing a Global Standard for a Mobile (GS^ communicat ions authentication 
algorithm used in the sample embodiments of the present invention; 

FIG. S is a flowchart of the gateway certificate generation module shown in FIG. 1 2 as utilized in 
an embodiment of the present invention; 

FIG. 6 is a diagram of the me ssages that pass between the mobile station and the sdler in order to 
ticilitate the purchase and payment of goods and services as utilized in an example embodiment of the 
present invention; 

HG. 7 is a flowchart of a buyer purchase module shown in HG. 1 2 as utilized by an embodiment 
of the present-invention; 
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FIG. 8 is a flowchart of fhe seller sales module/sho^ in FIG. 1 2, as utilized byan embodiment of 
the present invention; 

FIG. 9 is a diagram of the messages passed between the seller and ttegatewa y in orderto&cilitate 
payment to the seUer for services and goods provided the buyer in an example embodiment of the present 
invention; 

FIG. 1 0 is a flowchart of the seller billing module^ shown in FIG. 1 2, as utilized in an example 
embodiment of the present invention; 

FIG. 1 1 is a flowchart of the gateway billing module, &awn in FIG. 12, as utilized in an exan^le 
embodiment of the present invention; and 

FIG; 12 is a modular configuration diagram of the embodiments of the preset invention shown in 
HGs. 3-5,7,8,10, and 11. 
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BEST MODE FO R CARJIYING OUT THE INVENTION 
Before beginning a detailed description of the invention, mention of the following is in order. 
When appropriate, like reference numerals and characters maybe used to designate identical , conesponding 
or similar components in differing figure drawings. Further, in the detailed description to follow, 
exemplary sizes/roodels/values/ranges may be given, although Ibe present invention is not limited to the 

same. ' " 

FIG. 1 illustratcis an example of an overall system diagram of an embodiment of the present 
'invention. In this ^cainple embodiment a mobile station (MS) 2Q acts as an interfece forthe user, buyer or 
consumer 10 for access to the present invention. This mobile station (MS) 20 may be aWAP-capaWe 
cdhilar telephone, a Hypertext Markup Language (HTML) capable celhilar telephone, or a cellular 
telephone with a processor-based system connected to it. This processor-based system may be, but not 
limited to, a laptop computer, palm computer, or oOier portable computing devices including the WAP- 
capable telephme alone. The mobile station (MS) 20 communicates through the telecom infiastiucture 30 
to a local network operator service 70 through a gateway 60. Telecom infrastructure 30 may be , but not 
limited to a cellular telephone control protocol, such as GSM (Global System for Mobile Communications) 
telephony system, an4 intpnet protocol (IP) over wireless local area network (LAN) or any other suitable 
access protocol. The interface between the mobile station 10 and the seller 50 is to communications 
infiastructure 35 which may be, but not limited to, a cHrect physical connection, correct short range radio 
frequency (RF) connection, an IP connection, or any other suitable means of communi cation. In turn the 
seller 50 may communicate to the gateway 60 and thus the local netwoik operator service 70 .through, but 
not limited to, an inteiset protocol packet-switched network, a dial-up line over the public switched 
telephone netwoik, or any other suitable means of communications. Therefore, the embodiments of the 
present invention are not limited to communications using the Internet Further, the local netwoik operator 
service 70 may conomimjcate to fee buyei«s 10 home network opmtor service 50 directly ferougb the 
PSTN or via the Internet In addition, the home netwoik operator service 80, the local netwoik operator 
service 70 and a gateway 60 are all considered part of the mobile telephone infrastructure for billing and 
authentication 90 which serves to facilitate the purchase of goods and services. 

In FIG. I it should be noted that the assumption is made that user 10 is not within the home 
netwoik operator service 80 area. However, the embodiments of the present invention will operate when 
(he user 1 0 is in the home netwoik operator service 80 area and thus the home network operator service 80 
and the local netwoik operator service 70 may be one and the same entity. 

When fee user or consumer 1 0 is not in his home netwoik operator service 8 0 area, fee user 1 0 
may still make purchases fit>m seller 50 if a roaming agreement exists between fee local network operator 
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service 70 and the home netwojic operator service SO. Further, the seller SO may be anyone selling a good 
or service from a street flower vendor to a department or clothing store. The seller SO may also be a seller 
of software or other digital products and may have a store fix>ht €fr may have a web site on the Interaei 40. 
The only restriction on the seller SO is that he be pennitted by the local network operator service 70 to 
accept digital payment certificates from a buyer 1 0 and submit them to the local netwoik operator service 
70forpayment. If the user orbuyer 10 is outside of his home network operator service 80 area^ the loca 1 
network operator service 70 will submit an accountmg record of flie transaction between buyer 1 0 and 
seller 50 to the useF»s 1 0 home network operator service 80 for billing on the user»s 1 0 telephone bill. 

Still refening to FIG. 1 , using the present in vention it is possible for a buyer 1 0 to utilize mc^bile 
station 20 similarly to a credit card to pay for goods and slices wherever the usei^s hcmie netwoik 
operator service 80 has established a roaming agreemrat widi fte local netwoik operator service 70. As 
with the major credit cards, this could someday be woddwide if a universal cellular phone standard is 
established. As will be discussed ahead, the use of the present invention eliminates the possibility of 
double billing a buyer 10 for a product or service or submitting an incoirect price .for payment for a . 
particular good or service. Further, since digital signatures cannot be forged by any party that do not have 
access to the signing ksy^ and since the signing key is never released outside the mobi le station 20, it would 
be impossible for a third party eavesdropper, hacker, criminal, or the seUer to either undetectably modify 
payment messages g^erated by a legitimate payer, or generate bogus payment messages purportedly 
coming from a legitimate payer. In addition, the buyer or user 10 may utilize mobile station 20 wherever 
his home network operator service 80 has established a roaming agreement and his mobile station 20 can 
interface to the local netwoik operator service 70. 

A discussion will now be supplied involving thcf logic employed in the embodiments of the present 
invention. Specifically, a discussion will be provided of die flowcharts and diagrams illustrated in FIGs. 2 
through 1 1 and the modular configuration diagram provided in FIG. 12. The flowcharts and diagrams 
shown in FIGs. 2 trough 12^ as well as the modular configuration diagram shown in FIG. 12 contain 
qperatioiis that conespond, for exan^le, to code, sections of code, instnictions, finnware, hardware, 
commands or the like, of a computerprogram that is embodied, for example, on a storage medium such as 
Sappy disk, CD Rom, EP Rom, hard disk, etc. Further, the computerprogram can be written in any 
language such as, but not limited to, for example C-H-. 

Embodiments of the presentinvention use the GSM (Global System for MobileCommunicati^ 
telephony system that enrploys algorithms in the mobile station (MS) 20, sudi as, but not limited to, 
cellular phones and WAP-capable cellularphones, and the a mobile telephone infrastructure forbilling and 
authentication 90 which controls authentication of the . user 10 and mobile station 20 to prevent 
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imauthorized access to the netwoik and to provide encryption of the transmissions between users. The 

, ' I 

GSM System is describejd in depth in fte publication, "The GSM System forMobile Communications" by 
Monly and Pautet, Copyright 1 992, which pnbb'cation is mcoipoiated herein by reference in its entirety. 
Security feattiTBS of the GSM system are described in pages 477 lhrougb498 of theMouJy and Pautettext. 
Further detail of the GSM system security is provided in ETSl publication TS 100 929 V.6. 1,0 (1999) 
entitled ADlgital cellular telecommunications system (Phase 2+); Security related network iunctipns® 
(GSM 03.20 version 6.1 .0 Release 1 997), which is incorporated herein by reference in its entirety. The 
usage of the GSM system in the present invention will be discussed in further detail inrelation to tbeHGs. 
2-1 2 and in particular to FIG. 4. However, it should be noted that any other GSM like system maybe used 
that aufhditicates a mobile station 20 for access to a teleccmi infrastructure -36. * 

FIG. 2 is a diagram of the messages passed between a mobile station 20, a gateway 60, and a home 
location register (HLR) authentication center (AUG) located in the home network operator service 80, In 
the following discussion, curiy brackets { } indicate a set of one or more items, and square brackets [ ] 
indicate ah optional itenl. The messages 2 1 0 through 260 enable mobile station 20, and thus a buy er 1 0, to 
receive a digital certificate which enables the buyer 1 0 to purchase and pay for goods and services from 
seller SO. A total of fqur messages are exchanged between mobile station 20 and gateway 60, while two 
messages are exchanged between gateway 60 and HLR/AUC 1 00. These messages will be discussed in 
farther detail in reference to FIGs. 3 and S. However, to summarize^ message 2I0:is transmitted from 
mobile s^tion 20 to gateway 60 and contains a session idoitification (SID) and an intemationa 1 niobile 
subscriber identifier (IMSI). TlielMSI is a um'que identification jnumber supplied for eadi mobile station 
20 by the home network operator savice 80 upon initial signing of a contract for service. The SID is a 
nuniber assigned by the mobile station 20 and used to identify tiiis particular session. The gateway 60 in 
turn stores the SID and IMSI in its local memory and transmits the IMSI in message 220 to the HLR/AUC 
1 OO contained within home netwcsk operator service 80, The gateway 60 is able to i dentiiy which HLR 
/AUC 1 00 it needs to tran^iit the IMSI to based on infomoatioh contamed within the IMSL As will be 
discussed in further detail in r^foence to FIG. 4, flie HLR/AUC 100 responds with message 230 
containmg a random number (RAND) 410, a s igned response (SRiES) 450, and an enayption key (Kc) 
400. The gateway 60 takes the Kc 400 and uses it to compute an integrity k^ (K) based on the formula K 
^ f ({Kc}), where f is a cryptographic one -way hash function known both to flie gateway 60 and to the 
mobile station 20. The gateway 60 would then store the SID, IMSI, RAND 440, SRES 450 and K in a 
single record in the gateway«s 60 memory. Thereafter, message 240 is srat from the gateway 60 to the 
mobiIe5tation20andcontainsRAND440andMl. Ml is computed based upon a message authentication 
code (MA(J) function using integritykey(K) And RAND 440. The formula used is represented as Ml « 
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MAC (K, {RAND}). The purpose of a MAC is to facilitate, without the use of any additional 
mecbanisms, assurances regarding both the source of a message and its integrity MACs have two 
functionally distinct parameters, a message input ({RAND}) and a secret key (K). MAC iunctions are 
discussed in for&er detail in sections 9.5 Akeyed bash iunctions (MAG=s)@ and 9.6 .3 AData Integrity 
Using MAC Alone© of Handbook of Applied Cryptography by A. J. Menezes et al., CRC Press 1 997» 
ISBN 0-8493-8523-7, which are incoiporated herein by reference. ^>Qn receipt of the RAND 440 and M J 
variables, the mobDe station 20 computes SRES 450 and Kc 400 based on RAND 440 and secret key (Ki) 
410. Ki 410 is a secret key installed by the home network operator service 80 in the mobile station 20 
upon signmg up for a service plan. The mobile station 20 also computes the integrity key (K) usin^ die 
fomiula K - f({Kc}). The computation of Kc 400 is discussed in furfter detail in reference to FIG. 4. 

StiH refening to FIG. 2, mobile station 20 responds to the receipt of messiage 240 by the generating 
message 250 and transmitting message 250 to gateway 60. Message 250 includes SRES 450, apubbc key 
CPK), any restrictions, an alias, and M2: The public key (PK), provided by mobile station 20, is used to 
generate digital signatures for user 1 0 which act as approvals for charges made in the p urchase of goods 
and services. Both die restrictions and alias are optional items. Restrictions nder to limitations on 
transactions that may be placed. For example, user or buy^ 1 0 may be protected firom a loss or theft of 
mobile station20 by. limiting die amount of any given purchase, the number purchases that can be made 
^vidiin a paiticolar time fiame, or the time period within which O^e public key is valid. The alias is an 
alternate identification for the mobile station 20. M2 is computed based upon another MAC function 
utilizing the variables K, SRES 450, PK, restrictions, and the alias. The specific formula for cong>utation 
ofM2isM2»MAC(K, {SRES}, PK,[{re5tricticH}s}], [alias]). Upon receipt ofmessage 250, d)e gateway 
60 generates a digital certificate (C) and stores in a record in memory the SID, IMSI, f (RAND, SRES,K), 
PK, restrictions, alias, and digital certificate (Q. Thereafter, the gateway 60 computes M3 which is based 
on fbnnula M3 MAC (K, C). Then in message 260, die gateway 60 transmits the message 260 
containing diedigital certificate (C) and M3 to the mobile station 20. The digital certificate (C) may then 
be used to purchase goods and services firam seller 50. 

In an alternate embodiment of die messa]ge^ ^own in FIG. 2 , i t is possible to enhance security of 
the present invention by enciypting the IMSI in message 21 0 using a public key si^l^^ 
60 or some other server. In this mannerit is less likely that die IMSI would be intercepted by a diird party. 

In a still further alternate embodiment of die messages shown in FIG. 2, it is possible to have ttie 
SID joindy selected by die mobile station 20 and die gateway 60. In diis manner, tracking of die certificate 
in message 260 and associating it to die SID may be simplified for die gateway 60. . 
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In another alternate embodiment of the messages shown in FIG. 2, it is possible to drop the SUES 
450 in message 250 since it is already required to generate a correct M2. 

In another embodiment of the messages shown in FIG , 2, it is possible for the HLR to compute the 
integrity key K and send it as part of message 230 to the gateway. In this case, as an allemalive 
embodiment,' instead of the integrity key (K) computed as a function of the set of encryption key (Kc) 400, 
it may be cpniputed directly from the secret key (Ki) 4 ] 0 and the random number (RAND) 440. 

In another embodiment of the messages shown in FIG. 2, the public key (PK) may be a long temi 
public key stored in the authentication center (AUG). In this case, FK i s included in message 230» and 
need not be included in message 250. 

In still another embodiment of the messages shown in FIG. 2, the public key (PK) of the local 
network operator service 70 (denoted as FK_G) can be included in message 260. This allows the mobile 
station 20 to verify certificates that were issued by the operator to other entities such as sellers.SO. It also 
allows the mobile station 20 to verify certificates that wm issued to other mobile stations 20, thereby 
allowing the first mobile station 20 to act as a sell^. Tberefc»re, a mobile station 20 may act in one 
instance as a buyer and in the next instance as a seller. This would be most suitable when the product 
being sold is a digital product However, any good or service may be sold this way. 

A discussion will now be provided for FIGs. 3 throu^ 5 detailing ftte exchange of messages as 
shown in FIG. 2. FIG. 3 is a flowchart of the mobile station c^lificate acquisition module 1 500 shown in 
FIG. 12. The mobile station certificate acquisition module 1500isusedtogeneratemessages2108nd250 
shown in FIG. 2. The. mobile statim certificate acquisition module 1500 also receives and processes 
messages 240 and 260 fitnn a gateway 60, as shown in FIG. 2. The mobile certificate acquisiti on module 
1500 includes operations 300 through 430 shown in FIG. 3. 

Referring to FIG. 3, the mobile station certificate acquisition module 1500 begins execution in 
openition 300 and immediately proceeds to operation 3 1 0. In operation 3 1 0, a SID is genent ted wUcik is a 
unique number identi^dng a session. In addition, the MSI lepiesenting the international mobile 
subscriber identifier is retrieved and along with the SID is transmitted to gateway 60 in message 210. 
Thereafter, in operation 320, flie mobil e station 20 will wait for receipt of message 240 from gateway 60. 
tJpon arrival of message 240, processing will then proceed to operation 330. As previously discussed, 
message240containsarandQmnfumber(RAND),andM}. Ml wascomputedbythegateway6 Outilizing 
a integrity key (K) and a random number (RAND) received from the HLR/AUC 1 00. In operation 330, 
mobile station 20 computes M T. Mr is computed in the same manner by the mobilestation 20 as Ml was 
computed by gateway 60 with the exception th at encryption key (Kc) 4(X) is contained within the mobile 
station.20 itself and is used to compute integrity key (K). Utilizing tiie same fomnila used by the gateway 
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60, the niobile station 20 is able to compute Mr. The fonnula utilized is MV » MAC (K, { RAND]}. 
Therefore, in operation 340 a comparison is made between Ml received from gateway 60 and Ml' 
computed by the mobile station 20. This conqiarison is done in order to assure the niobile statim 20, and 
thus user J 0, that the source ofmessage 240 is a legitimatepordon of the GSM system. If Ml isnot Ibund 
to equal M I' in operation 340, then processing proceeds to operation 350 where execution of the mobile 
station certificate acquisition module 1500 is aborted and processing tenninates. If operati on 350 is 
executed the assumption is that message 240 has been corrupted or fliat a gateway 60 is being 
impersonated by an unauthorized individual. 

Still referring to FIG. 3, if MI = Ml', then processing proceeds tmm operation 340 to operation 
360. In operation 360, M2 is computed. As previously discussed, M2 is con9>uted based upon a MAC 
function utilizing the variables K, SRES 450, PK, restrictions, and the alias. The specific fonnula for 
computation ofM2 is M2« MAC (K, {SRES), PK,[ {restrictions}], [aHas])- Thereafter, mesiagc 250 is 
generated containing SRES, PK,restricti(»is, alias, and M2 and is transmitted to gateway 60. In operation 
380themobilestation20wait5forreceiptofmessage260fromgateway60. Upon receipt ofmessage 260 
from gateway 60 processing th^ proceeds to operation 390. In operation 390, M3' is computed as 
previously discussed above in referrace to FIG. 2. M3' is computed in the same maimer as M3 was 
computed by the gateway 60 based on fomrala M3 ^ MAC (K, Q with the exception that enoyption key 
(Kc) 400 is contamed within the mobile station 20 itself and is used to compute integrity key (K). 
Tliereafter, processing pix)ceeds to operation 400 where M3' is con^ared against M3 received m message 
260 fiom gateway 60. If it is determined in q3eration 400 diat M3' does not match M3, then processing 
proceeds to operation 410. In operation 410, processing of fbe mobile station certificate acquisition 
module 1500 is temunated. When M3' does not match M3, it is assumed th at message 260 has been 
corrupted or that an unauthorized individual is iinpmonating a gateway 60. However, if M3' does match 
M3 in operation 400, then processing proceeds to operation 420. In operation 420, fiie certificate leceived 
in message 260 is stored in tiie memory of mobile station 20. This certificate may be used, within any 
associatedrestrictions,i0rthepurchasingofgoods and sendees fiomseller50. Thereafter, processing fiar 
the mobile station certificate acquisition modxile 1500 tenninates in operation 430. 

FIG. 4 further details authentication in a GSM netwoik perfomied by fee generation of a signed 
response (SRES) 450 by botii themobile station (MS) 20 and the home netwoik operatcn^ sendee 80 and 
gateway 60 which is a function of a unique secret key (KQ 41 0 of the mobile station 1 0 and a random 
number (RAND) 450 as used in the logic shown in FIGs. 3 and 5. The signed response (SRES) 450 is 
calculated in a subscriber identification module (SIM) (not shown) located in the mobile station (MS) 20, 
based on Ki 4 1 0 inside the SIM and RAND 440 obtained fiom the networic aufhentication center (AUC) 
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(not shown) in the home networic operator service 80. Additionally, the mobile station (MS) 20 and (he 
authentication center in the honie networic operator sendee 8*0 each generate a ciphering key (Kc) 400 
which is a function of the same random number RAM) 440 and the secret key (Ki) 41 0 of the mobile 
station 20. This authentication process is a two stage process which employs two algorithms. The first 
algorithm^ which calculates SRES 4S0» is known as the A3 algorithm module 420 and the second; key 
generation».ta]gorit]im which computes Kc 400, which is computed each time a mobile station 20 is 
authenticated, is known as the A8 algorithm module 430. However, each o^ the operations of 
authentication and computing of the ciphering key (Kc) 40b re(]uires the mobile station (MS) 20 to be 
programmed to perfomi the aforementioned computations. 

Still referring to FIG. 4, the mobile switching center (not shown) I ocated in the local networic 
qperator sen^ice 70 authenticates the mobile station 20 whenever a new mobile station (MS) 20 registers 
with the mobile telephone infrastructure for billing and authentication 90 and whenever a registered mobile 
station (MS) 20 turns on the power. Authentication in a GSM system is based on a secret key (Ki) 310 Oiat 
is shared by the hoihe network operator service 80 and the subscriber and which is different for each 
subscriber. The home network operator service 30 keeps the key K i 41 0 in the AUG and die subscriber has 
Ki 410 installed within SIM card of the mobile station 20, which he receives firom the home network 
operator service 80 when the subscription contract is made. To protect the secrecy of Ki 41 0, (be SIM is 
made so that the mobile station (MS) 20 cannot directly access the value of Ki 410, and can only initiate 
certain computations in the SIM that use Ki 410 and then receive the results of those computations. 
Similarly, the elements of the mobile telephone infirastructu re for billing and authentication 90, such as 
home location register (HLR) cannot access subscribers' keys Ki 410 directiy. These network elements 
may only request fiom the AUG a result of computations that use Ki 410 as discussed above. These 
computations are an A3 algorithm module 420 dnd an A8 algorithm module 430 and are ideiitical in the 
SIM of the mobile station (MS) 20 and in the AUG in the home network operator service 80. 

The foregoing mentioned GSM autiientication process is a two stage process. In the first stage of . 
GSM authentication, a local network operator service 70 element, which is typically a MSCA^ (Mobile 
services Switching CenterA^jsitor Location Register), receives an International Mobile Subscriber 
Identifier (IMJSI) fiom the mobile station (MS) 20 and requests fiom die AUG of the home network 
operator service 80 one or more triplets. These triplets are composed of RAND 440, SRES 450, and Kc 
400. This process begins by the mobile station 20 sending an International Mobile Subscribe r Identifier 
(IMSI) to MSCrSTLR in the local rietwoik operator service 70. The MSCA^R then requests authentication 
triplet(s) (RAND 440, SRES 450, and Kc 400) from the AUG in flie home network operator sendee 80. 
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The AUC, in the home network operate serv ice 80, computes one or more triplets (RAND 440, a SRES 
450, and a Kc 400) and sends th^ to the MSCyVLR in the local netwodc operator service 70. 

In the second stage of GSM authentication, theMSCWLR of the local networic operator service 70 
authenticates the mobile station (MS) 20 by the MSCA^ in tlie local network operator service 70 
sending to mobile station 20 aii authentication request (RAND) in which the message contaiiis a RAND 
1 40. The MS 20 then sends to the SIM, contained within MS 20, a run GSM algorithm (RAND) request 
message which again contains RAND 440. In operation 260, MS 20 sends to the SIM a get response 
me^^a^e. Thereafter, the SIM Tq)lies with a respoiise having a SRES 450 and Then MS 20 stores 

Kc 400 in the SIM by sending to the SIM a mite (Kc) request in which ihe message contams Kc 400. The 
MS 20 sends to MSCAO-R a Radio Interface Layer 3, Mobility Management (RIL 3 -MM) protocol 
authentication response in which the SRES 450 is contained in the message. After receiving t be message 
fhe MSCA/LR, in the local network operator service 70, compares SRES 450 that it has received from the 
AUC in the home network operator service 80, in stage one of GSM authentication discussed the SRES 
450 received Srom the MS 20. Ifibe values of the SRES 450 are det^mined not to be identical then 
avtbratication fiiils and service is not established. However, if the values are identical then authentication 
succeeds and service is estabUshed ibr die MS 20. 

FIG. 5 is a flowchart of the gateway certificate generation module 1600, shown in FIG. 12, as 
utilized in an embodiment of thepresent invention. The gateway certificate generation module 1600 is the 
counterpart of the mobile station certificate acqwsition module 1500 and serves to generate a digital 
certificate required by buyer 10 in order to make purchases fiorn seller 50. The gateway certificate 
generation module 1 600 begins execution in operation 500 and immediately proceeds with operation 5 1 0. 
In operation 510,. the gateway 60 awaits transmission of message 210 iom mobile station 20. Upon 
receipt of message 21 0 fi-om mobile station 20, the gateway 60 stores in local memory the SID and IMSI 
contained in message 2 1 0 and processing proceeds to operation 520. In operation 520, the gatew ay 60 
generates message 220 containing the received IMSI^ Based on IMSI, the gateway 20 knows which 
HLR/AUC the mobile station 20 is associated with and can thereby transmit message 220 thereto. 
Thereafter, processing proceeds to operation 536 where the gateway 60 waits for the receipt of message 
230 fiY>m the HLR/AUC 100. The HLR/AUC 100 iipon receipt of message 220 will reply with one or 
more triplets. These tnpleis contain RAND 440, SRES 450, and Kc 400. The gateway 60 will Oien 
proceed to compute M I in operation 540 as previously discussed. M 1 is computed based upon a message 
authentication code '(MAC) Junction nsing integrity key (K) And RAND 440. The fonnula used is 
represented as Ml « MAC (K, {RAND}). Integrity key (K) is computed based on Kc 40 0 received torn 
HLR/AUC 100 using the fonnula K = f «Kc)). Processing them proceeds to operation 550 where 
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message 240 is generated and transmitted to mobile station 20. As previously discussed, message 240 
contains RAND 440.and M ] . TheieaAer, process ing proceeds to operation 560 where the gateway 60 
waits for message 250 from mobile station 20. Upon receipt of message 220 processing proceeds to 
operation 570 whore M2' is conq>uted. M2' is computed based upon a MAC function utiUzing the 
variables to SRES 450, FK» restrictions, and the alist^. 'The specific formula for computation of M2' is 
M2*»MAC(K, {SRES},PK, [{restrictions}], [alias]). Processing them proceeds to operation 580 where 
a comparison is made between M2, received in message 250, and M2' computed by gateway 60. If M2' 
and M2 do not match then processing proceeds to operation 590 where the execution of the gateway 
certificate generation module 1 600 is aborted. However, if M2' and M2 match then processing proceeds to 
operation 600. In operation 600, M3 is conq)uted by the gateway 60. The gateway 60 computes M3 
based on the fomiula M3 » MAC (K^ C). In operation 61 0, message 260 containing the certificate and M3 
are transmitted to fte mobile station 20. Thereafter, processing te iminates for the gateway certificate 
generation module ] 600 in op^ation 270. 

Upon termination of the mobile station certificate acquisition module 1500 along with its 
counterpart, gateway Certificate generation module 1600, the mobile station 20 has in it s possession a 
certificate which buyer 10 may use to purchase goods and sovices firom seller SO; FICs. 6 through 8 
illustrate the processmg involved by t!ie embodunent of the present invention in orderfcnr buyer 1 0 to.make 
purchase fi^om seller SO. 

FIG. 6 is a diagram of the messages passed between the mobile station 20 and the seller 50 in order 
to fecilitate the purchase and payment of goods and services as utilized in an example embodiment of the 
present inv^tion. A total of two messages are sent by t he mobOe station 20 to seller SO. The messages 
sent fiom mobile station 20 to seller SO include message 6 1 0 and message 630. Seller SO in turn respond 
with message 620 and message 640. Message 610 contains a certificate received torn gateway 60 and a 
request for a particular product or Service. Message 620 is an invoice transmitted firoro iseller 50 to mobile 
station 20. Tbis invoice senres to notify buyer 10 through mobile station 20 of the price of the item 
requested The invoice contains a seDer-specific unique transaction identifier, chosen by the seller SO, and 
the identity of the seller SO, as assigned by the gateway 60. Message 630 includes a digital signature which 
serves to authorize chai^ging the price of the invoice against the certificate su pplied. Message 640 includes 
the delrveiy of the product to the mobile station 20. In the foregoing discussion of messages 610 through 
640 it has been assumed that the product or service requested is in digital format that could be downloaded 
to mobile station 20. However, as previously discussed the product or service an individual buyer I Omay 
request may be anything including such tangible items as Sowers djid clothmg. In the case where the 
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product is a tangible item and buyer ] 0 and seUer 50 face each other, then the request may take the form of 
an oral request and the delivery may take the foim of banding over the flowers or other product. 

Li an alternate embodiment of the message configuration shown in PIG. 6, it is possible for 
message 6 1 0 to contain the request only, and message 630 to contain both the signature and the certifintte. 
b this manner the seller sales module i 800, discussed in detail ahead, verifies the certificate and signature 
at the same time. 

In a further alternate embodiment of the message configuration shown in FIG. 6, it is possible to 
diarge for use of a product, such as a software based game, by the time of usage and not formere delivery 
of the product One method for implementing this would be for several messages 620 1 o be sent to the 
mobile station 20 at periodic time intervals. For example, if buyer 10 requests a game and it is 
downloaded, an initial invoice would be sent, after, which a new invoice will be sent every five minutes. 

FIG. 7 is a flowchart of a buyer purchase module 1700 shown in FIG. 12 as utilized by an 
embodiment of the present invention. The buyer purchase module 1700 includes operations 700 through 
770 shown in FIG. 7. When a buyer 1 0 initiates a purchase of an item fitnn seller 50^ the buyer purcha se 
module 1 700 begins execution in oprntions 700 and immediatdy proceeds to (9eration710. In operation 
71 O tbe mobile station 20 transmits message 610 to seller SO. Themodeoftransmissionmaybeanyfonrn 
of digital communications. Thus, if the sell er 50 is a web site, then mobile station 20 would access seller 
.50 through the cellular access network, via a gateway (such as a WAP gateway), and then through the 
Internet Howev^, if a &ce-to-&ce transaction is occuning between buyer 10 and seller 50 then 
communications between mobile station 20 and seller SO may include any short range form of 
. communications including cable, iniGrared, low-power radio fi?equency, or any o&er suitable means. 

Still refening to FIG. 7, in operation 720 mobile station 20 will wait for receipt of message 620 
fromsellerSO. Upon receipt ofmessage 620 processing then proceeds to operation 730. Inoperatian730 
die buyer 1 0 checks the invoice price to determine if it is valid. In operation 740, a detemu*nation is made 
whether invoice (J) is coxiect If invoice (I) is not correct processing proceeds to operation 750 where 
processing of the buyer purchase module 1 700 is teroiinated. However, if the invoice (I) is conect (hen 
processing proceeds to operation 750. . h ope ration 7SQ,..die buyer 1 0 digitally signs the invoice using a 
secret key (Ki) 410 and tiie signature is returned in message 630. Thereafter, processing proceeds to 
operation 760 where mobile station 20 awaits delivery of message 640. In the case where the product 
being delivered by seller SO is a digital product, operation 760 would be executed. However, where die 
product being delivered is a tangible product, such as a basket of iloweis, operation 760 may simply be the 
handing over that product to buyer 10 from seller 50. Thereafter, the buyer purchase module 1700 
tenninates execution m operation 770. 
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FIG. 8 is a flowchart of Ibe seller sales moduJe J 800, shown in FIG. 12, as oitilized by an 
embodiment of the present inverition. The seUer sales njodulel 800 is counteipart to the buyer purchase 
module 1 700 and is \itilized to check the validity of the digital certificate received from tbebuyerpurcbase 
module 1700. 

Referring FIG! 8, the seller sales module 1 800 includes operations 800 through operation 90 5. 
The seller sales module 800 begins execution in operation 800 and immediately proceeds to operation .8 10. 
In opmtion 8 1 0, the seller sales module 1 800 waits for receipt of message 6 1 0 containing the certificate 
and service request. Upon receipt of m essage 6 ] 0> processing proceeds to operation 820 ^^ere the validity 
of the catificate is verified and it is checked that any optional restrictions are not violated. Thereafter, in 
operation 830 the result of digital certificate verification is checked. This verification of the digital 
certificate is done online so that fte seller 50 may determine whether the digital certificate provided by 
buyer 1 0 is still valid. The situation may arise where a certificate is issued by gateway 60 and later revoked 
when file subscriber reports a loss or &efl of mobile station 20. . 

Still referring to FIG. 8, If the certificate is not valid then processing proceeds to operation 845 

whm the execution ofthe seller sales module 1800 is terminated. However, if the certifi cateisvah'd,then 

processing proceeds to operation 840. In operation 840, it is detennined whether the requested service 
• ♦ * ■ 

complies with the optional restrictions applied. If the requested sen^ice does not comply with restrictions 
then again processing proceeds operation 845 where execution of the seller sales module 1 800 temunates. 
Howev^, if the restrictions are violated, then processing proceeds to qperatioii 850. In operation 850, the 
invoice (I) is sent in message 620 to mobile station 20. In operation 860, the seller sales module 1 800 
waits for receipt ofmessage 630. I^pon receipt of message 630 containing signature (S), operation 870 
checks the signature (S). Tbereaft^, in opeiation 880>'a deteraiination is made if signature (S) is vidid. If 
the signature is not valid fiie processing again proceeds to operation 845 where the seller sales module 
1800 is tenninated. However, if the signature is vaHd; processing proceeds to operation 890 where the 
seller 50 creates an accounting record (AR) and stores it in the seller^s 50 local database. Thereafter, 
jvocessing proceeds to operation 900 where the seller SOproceeds to deliver tbeproduct or service desired. 
.Thismaybedonethroughtfae.tiansmissio!nofmessage640wberethepi^ product Finally, 

the seller sales module 1 800 terminates execution in operation 905 . 

FIGs. 9 trough 1 1 illustjate the process wh^eby &e seller 50 is able to receive payment for 
products and services sold using the embodhnent of the present invration. 

FIG. 9 is a diagram of the messages passed between the seller 50 and the gateway 60 in order to 
facilitatepayment to die seller for services and goods provided to the buyer 1 0 in an example embodiment 
offte present invention. Only two messages axe exchanged between seller 50 and gateway 60. Message 
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9 1 0 siniply contains the currait records accumulated by seller SO within a finite period of time. However, 
as would be appreciated by one of brdinaiy skill in the art, each time an accounting record is geoer ated it 
may be transmitted to gateway 60. Message 920 is a response supplied by gateway 60 to seller 50 
indicating acceptance or rejection of (be accounting records transmitted* 

FIG. 10 is a flowchart of the seller billing module 1900^ shown in FIG^ 12, as utilized in an 
example embodiment of the present mVenticm. The seller billing module 9000 includes operations 1 000 
through 1 1 60 shown in FIG. 1 0. The seller Inlling module 9000 begins execution in c^eration 1 000 and 
immediately proceeds to operation 1010. In operation 1010, variable i is set to 0. In operation 1 020 a 
detennination is made if any records ranain that have not been incoiporated into message 910. If no 
records are left then processing proceeds to operation 1 030 wherethe seller biUing module 1 900 temiinates 
executioi). However, if no accounting records remain to be processed then processing proceeds to 
operation i040orfbeyareplacedinmessage910. Thereafter, in opmtion 1050 i is incremented by K In 
operation 1 060, a detennination is made if any records remain to be processed. If records remain to be 
processed then processing proceeds operation 1070. In operation 1070, it is detemnined whether the 
variable i is less than the variable n whidi represents the maximum number of a ccounting records that may 
be put in message 9J0. If i is less tiian n then processing loops back to opeiation 1040 for furOier 
processing. However, if i is not less than n^ then processing proceeds to qjeration 1 080. In operation 1 080 
message 91 Q containing the accounting records is sent to seller SO. Thereafter, processing proceeds to 
operation 1 090 where seller SO awaits return of message 920 from gateway 60. Upon receipt of message 
920 processing proceeds to operation 1110. h operation 1110, the responses from gateway 60 are 
accq>ted. In operation 1 1 20, it is determined whether the response received indicates coniinnation and 
thus an E^proval of the accounting record and payment &aeof. If the responses are not confirmed in 
operation 1 120, piocessmg proceeds to operation 1 130 where the accounting record is added to the emor 
log. The exTor log would then be examined at some later point m time to deteronne the prq>er course of 
action. However^iffheresponseequabaconfhmation,theQprocessingpn)^ 
the accounting record is entered into a local internal log. Thereafter, in both the case of operation 1 ISO 
and 1 140, processing proceeds to any unprocessed rehouses left in message 920. If there are any 
unprocessed responses, then processing loops back to opoation 1110. However, if all responses have been 
processed, then processing proceeds to operation M 60 where execution of the sellerbillingmodule 1900 is 
temiinated. 

FIG. 1 1 is a flowchart of fhe gateway billing module 2000, shown in FIG. 12, as utilized in an 
exampleembodiment of the present invention. The gateway billing module 2000 is utilized to credit seUer 
S0withiundsforpurchasesmadebybuyerl0usingmobilestation20. The gateway billingmodul e2000 
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also serves to verify the existence of a CQnresppnding buyer^s record containing Bie digital certificate 
created by gateway eertiiicete generation module 1 600. Further, the gateway billing module 2000 also 
veriiies the validity ofthe signature generated by the buyerpimihaseniodule 1700. As will be discussed in 
iurther detail ahead, iising Oie verification of the digital certificate and the signature it is possible to insure 
that the buyer 1 0 is paying the correct amount for the purchase and that t he buyer 1 0 is only being billed 
once. . , 

The gateway billing module 2000 includes operations 1200 through 1340 shown m FIG. 1 1 and 

r 

begins execution in operation 1200. The gateway billing inodule 2000 upon startup in q)erat3on 1200 
inmediatelyproceeds to operation 1210. hi operation 1210» the gateway billingniodule2000 waits for fte 
transmission and arrival of message 910 from the seller billing module 1900. In operation 1220, the 
message 9 1 0 is received fi-om the seller 50 and processing proceeds to opera tion 1 230. In operation 1 230, 
an accounting record (AR) is extracted from message 91 0. Processing then proceeds to opoHtion J23S 
where it is determined whether this particular accounting record has previously been submitted. If the 
accounting record has previously been submitted thenprocessingproceeds to operation ISOOwere an error 
response is generated. However, if tins particular accounting record has not been previously processed, 
then processing proceeds to operation 1240. In operation 1240, tfa e gateway 60 databiase is searched to 
find a conesponding record of the digital certificate for this sale. In operation 12S0 a detetmination is 
made whether a record has been found. If no reccml is found then processing proceeds to operation 1300 
where an eiror response for this particular accounting reccm) is stored for traiismissibn in message 920 to 
iseller SO. However, if a corresponding record is discovered then processing proceeds to cperation 1260. 

Still refemng to HO. 1 1 , the gatemy billing module 2000, executing on gateway 60, proceeds to 
perform the second check to detennine if Hht accounting record is conrecL In opieiFatiQn 1 260, the signature 
of buyer 10 is checked. Furtfier, the associated restrictions for the digital certificate, are che eked to 
determine if this accounting record violates any of these restrictions. In operation 1270, if dfto* signature 
cannot be verified or if any restrictions are violated fhen processing proceeds' to q>eration 1 300 where an 
error response for this parti cular accounting record is stored for transmission in message 920. However, If 
the signature is verified and the restrictions are not violated thenprocessingproceeds to operation 1280. In 
operation 1280, a call detailedrec^d (CDR) is stored in the ga teway 60 database so that dt some later time 
the seller 50 may be paid for all purchases by buyei^s 1 0 for that period of time. Further, the call detailed 
report is also charged to the buyei^s 1 0 account for fliat period' of time. In GSM network this is do ne by 
sending the GDR from local operator to the hoine operator; the home operator then adds the transaction 
indicated in &at CDR to buyejFs phone bill. Tber^fter, in operation 1290, the response for this 
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accounting record is confirmed and stored as such for transniission in message 920 to the seller SO. 
Thereafter, processing proceeds from both operations 1290 and 1300 to operation 1310 where either a 
conlunied response or an eiror response is placed in the message 920. In operation 1 320, it is detemiin ed 
. if other accounting records remain in message 910 and need to be processed. Ifaccounting records remain 
unprocessed in message 910 then processing loops back* to operation 1230. However, if all accounting 
records have been processed then processing proceeds to operation 1330. In operation 1330, message 920 
ccmtaining all responses to all the accounting records is transmitted to fte seUer SO and processing for the 
gateway billing module tenninates in operation 1340. 

It should be noted that the seller billing module 1900 and the gateway billing module 2000 
processed accounting records in a batch operation. However, as would be appreciated by one of ordinaiy 
skill in the art, an accounting record may also be transmitted from Ae seller SO to the gateway 60 as they 
are generated in the seller sales module 1 800* Such of an approach would increase the trafiBc between die 
seller SO and gateway 60. 

FIG. 12 is a modular configuration diagram ofthe embodiments of thepresent invention sho^ 
FlGs. S, 7, 8, 10, and 1 1. This modular configuration diagram illustrates the interconnection between 
modules in the present invention and the logical flow. It should be noted that the mobile station 20 
certificate acquisition modiile ISOO is the only module that interfaces to the GSM authentication naodule 
1 400, the A3 algorithm module 430 and the A8 algorithm module 420, previously discussed in lefeience to 
FIG. 4. Using tiiis embodiment of tiie present invention, the mobile station 20 need only be authenticated 
by Qie mobile telephone infrastructure for billing and authentication 90 upon startup and thus inoposes a 
minima] burden upon the telecom mobile telephone infrastructure for billing and authentication 90. 

Still refening to FIG. 1 2, once the mobile station 20 is authenticated the mobOe station certificate 
acquisiticHi module ISOO is able to obtain a digital certificate from the gateway 60 using the gateway 
certificate generation module 1600. Witii the certificate in die memory of mobile station 20 fhe buyer 
purchase module 1 700 is able to make a purchase from a seller SO in conjunction with the seller sales 
module 1800. The seller sales module 1800 generates an accounting lecoid which the seller billing 
module 1900 is able to submit to tiie gateway 60. The gatewaybilling module 2000 in die gateway 60 will 
verify the accuracy of die accounting record and only charge die buy^ 1 0 for the correct amount and only 
once for any purchase. 

While we have' shown and described only a few examples herein, it is understood tfa at numerous 
changes and modifications as known to those skilled in the art could be made to the present invention. For 
example, rather than a single digital certificate being transmitted in message 260, several could be 
transmitted at one time. In this m anner each certificate may have its own restrictions and when a buyer or 
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user 1 0 goes to make a purchase the certificate that most closely meets the requirements of the purchase 
may be transmitted to the seller SO. In addition, instead of transmitting mes sages containingM 1 , M2, and 
M3 as shovm in FIG. 2 it is possible for all messages to be authenticated using a 32 -bit integrity key (Ki) 
that is pait of the third generation standard security mecham'sm as specified in section 6.S AAccess Link 
Data Integrity® of 3<j security document (3G TS 33.1 02 version 3.5;0release 1999) which we iiicoiporate 
herein by deference. Therefore, we do not wish to be limited to the details shown and described herein^ but 
intend to cover all such changes and modifications as are encompassed by the scppe of the appended 
claims. 
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CLAIMS 

What is claimed is: 

1 • A jnethod of ordering, paymg for and delivering goods and services using a mobile station^ 
comprising: 

accessing a gateway by the mobile station and transmining an identi fication code for m^ 
to the gateway; 

veri^ng the identity of the mobile station by the gateway accessing an authentication c^ter 
and comparing variables coniputed by the mobile station and variables conqjuted by the gateway; 

delivering a digital certificate to the mobile station by the gateway when the identity of the mobile 
station have been verified; and 

requesting a product or service from a seller and transmitting a digital signature, accompanied by 
flie digital certificate for a signature verification key as payment to the 
seller. 

2. The method recited in claim 1 , wherein the veriiyij^g the legitimacy of the gateway by the 
mobile station by comparing the variables coniputed by the gateway with the variables computed by the 
mobile station, iujtber comprises: . 

transmitting from the mobile station to the gateway a session identification and an international 
mobile subscriber identifier; 

transmittmg the international mobile subscriber identifier firom the gateway to the authentication 

center; 

transmitting fcom the authratication center to the gateway a random nxnnber (RAND), a signed 
response (SRES), and an encryption ke}r, 

conq)Uting a variable Ml by the gateway mid transmitting the variable Ml and the random number 
to the mobile station; 

computing a variable M 1 ' by the mobile station; and 

verifying the legitimacy of the gateway when the variable MI equals the variable Ml'. 

3. Hie method recited in claim 2, wherein the integrity key (K) is computed by both the mobile 
station and the authentication center as a function of RAND and Ki, where RAND is a random niunber 
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issued by the aulhenticatioa center, and Ki is a.secret key contained within the authentication center and 

J ' I 

the mobile Station. ' 

4. The method recited in claim 3, where RAND Ihe in tegrity key (K) is transmitted by the of 
indications center to the gateway. 

5. The me&od recited in claim ] , ftnther comprising: 

compizting a digital certificate l>y the gateway catiiyiqg flie mobile station*s public key (PK); 
computing a variable M3 by the gateway and transmitting the variable M3 and the digital 
certificate to the mobile station; 

computing a variable M3' by the mobile station; 

veriiying the legitimacy of the gateway when the variable M3 equals the variable M3'. 

6. The method recited in claim S, wherein the variables M3 and M3' are computed using the 
fonnola M3 « M3* MAC (K, C), where MAC is a message authentication code function, K is an integrity 
key and C is the digi^l certificate created by the gateway to certify PK. 

7. The method recited in claim 1 , whereih verifying fhe identity of flie mobile station by the 
gateway accessing an auftentication center and comparing variables computed by the mobile station and 
variables computed by the gateway, liirther comprises: 

transmitting a signed response, a public key and a variable M2 computed by the mobile station to 
thegatewa^, 

computing a variable M2' by the gateway; 
comparing the variable M2 and the variable M2'; and 

verifying the identity of the mobile station when vari able M2 is equal to variable M2'. 

8. The method recited in claim 7, wherein variables M2 and M2' are computed using the 
formula M2 « M2' = MAC (K, {SRES}, PK, [{restrictions}], [alias]), whereb MAC is a message 
authentication code function, SRES is a signed response, K is an integrity key, PK is a public key, 
restrictions are limits on the certificate and alias is an alternate identification ibr the mobile station. 
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9. The method recited in claim 1, wherein requesting a product or service from a seller and 



transmitting the digital signature, accompanied by &e digital certificate for the signature verification key as 
payment to fiie seller, further comprises: 

transmitting the certificate with the request for the product or service; 

receiving an invoice from the seller indicating a price for the product or service; 

computing a digital signature on the invoice; 
' approving the invoice by transmitting the digital signature to the seller; and 

accepting delivery of the product or service by the buyer, 

• 

10. The method recited in claim 9, wherein the sellerupon transmission of the digital signature, 
further comprises: 

veriiying the digital signature;. 

verij^dng that restrictions assodated with the digital certificate 
creating tfie an accoimting record for &e product or service sold. 

11. . Theme&od recited in claim 10, further comprising: 

transmitting from the seller to the gateway the accounting record having an invoice and digital 
signature of a customer of a home network operator service; 

detmnining by the gateway ftat a coirespcmding record ^ists in a local database and the validity 
of Qie digital signature; 

detemaining whether the invoice violates any restrictions contained in the corresponding record; 
crediting the seller wi& an amount equal to ftat in &e invoice; and 
billmg the buyer with the amount of the invoice. 

12. The method recited in claim 1, further COTiprising: 

verifying the legitimacy of the gateway by the mobile station by comparing die variables computed 
by the gateway with the variables computed by the mobile station. 

. 13. The method recited in claim 1 1 , wherein delivering a digital certificate to tiiemobile station 
by the gateway when the identity of the mobile station and the gateway have been verified, further 
comprises: 

requesting a digital certificate by the mobile station from the gateway used to 
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order and pay for a product or service fioro a seller 

14. A system for ordering, paying for and delivering goods and services using a mobile 
station, comprising: 

a GSM authentication module to verify that the mobile station is permitted to access a telecom 
infrastructure; j 

a mobile station certificate acquisition modtile to request a digital certificate for the mobile station 
from a gateway; and 

a gateway certificate generation module to verify ftat Hxe mobile station is authcmzed to receive the 
digital certificate by transmitting an international mobile subscriber identifier received firom the mobile 
station to an authentication center, calculate variables based on information recaved fit>m the 
authentication center and compare them to variables computed by die mobile station, and issue the digital 
certificate to the mobile station when the variables match. 

15. The system recited in claim 1 4, wherein the mobile station certificate acquisition module 
verifies that the gateway is authorized to issue the digital certificate through the use of comparing variables 
computed by the gateway and the mobile station. 

16* The system recited in claim 15, fruther comprising: 

a buyer purchase module to request die purchase of a good or service fi'om a seller, present Oie 
digital certificate to the seller, receive an invoice and provide the seller with a digital signature approving 
the purchase of the good or service; 

a seller sales module to verify the validity of the digital certificate and the validity of the digital 
signature, issue an invoice, generate an accounting record and deliver a product or service 

a seller billing module to transmit to the gateway the accounting record and receive a response 
indicating if the accounting record has been approved for payment; and 

a gateway bflling module to verify the accounting record and an acooinpanyi^ and issue 

a credit to the seller and debit to the buyer wh en the accounting record and the accompanying signature are 
verified. 

17, The system recited in claim 16, wherein the gateway certificate generation module 
transmits an international mobile subscriber identifier to the authentication c^ter, receives a ra ndom 
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number, a signed response and an encryption key £rom the anfbentication center* computes a variable IVI 1 , 
M2\ and M3 and verifies the validity of the mobile station by comparing variable M2 received from the 
mobile station with variable M2'. 

18* The system recited in claim 14» wherein &e mobile station further comprises: 
a Subscriber identification module (SIM) used to coxnpute a signed response and a ciphering key 
based on a secret key, mstalled by a home networic operator service in the subscr iber identification module 
upon signing up for a service plan, and a random number obtained fiom an authentication center in the 
home netw(»k operator service; 

an A3 algoridmi module, contained in the SIM, is used to compute the signed response; and 
an AS algoriOm module, contained in the SIM, is used to compute the ciphering key, wherein 
through the transmission of signed responses to and from the mobile station a telecomrouhication 
infiBStructure is able to verii^ that die mobile station is authorized to access the telecommimication 
infrastructure and the gateway. 

19. A computer program embodied on a computer readable medium and executable by a 
computer for ordering, paying for and delivering goods and services using a mobile station, comprising: 

a- GSM authentication code segment to verify that fte mobile station is pennitted to access a 
telecom infrastructure; 

a mobile station certificate acquisition code segment to request a digital certificate for the mobile 
station from a gateway; and 

a gateway certificate generation code segment to verify that tihe mobile station is au&orized to 
receive the digital certificate by transmitting an international mobile subscnl}er identic 
mobile station to an authentication center, calculate variables based on iriformation received fiom the 
atrtbentication center and compare (hem to variables coniputed by be mobile station, and issue the digital 
certificate to the mobile station when the variables match. 

20. The system recited in claim 19, wherein the mobile station certificate acquisition code 
segment verifies &at the gateway is authorized to issue the digital certificate &rough the use of comparing 
variables computed by the gateway and the mobile station. 

21. The computer program recited in claim 19, further comprising: 
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a buyer pxuchase code segment to request the purchase of a good or service from a seller, present 
the digital certificate to the seller, receive an invoice and provide the seller with a digital signature approval 
the purchase of the good or service; 

a seller sales code segment to verify the validity of the digital certificate and the validity of the 
digital signature, issue an invoice, generate an accounting record and deliver a product or service; 

a seller billing code segment to transmit to the gateway the accounting record and receive a 
response indicating if die accounting record has been approved for payment; and 

a gateway billing code segment to veriiy the accounting record and an accompanying signature, 
and issue a credit to the seller and debit to the buyer when the accounting record and die accompanying 
signature are vmified. 

22. The computer program recited in claim 20, wherein the mobile station certificate 
acquisition code segment transmits a session identification land an international mobile subscriber identifier 
to the gateway, receives a random number and a variable Ml from the gateway and verifies that the 
gateway is authentic by computing and comparing the variab^ Mr with MI . 

23. The computer program recited in clai m 19, wherein the gateway certificate generation 
code segment transmits an international mobile subscriber identifier to the autfaenticaticm center, receives a 
random number, a service response and an encryption key fiT>m the authentication center, computes a 
variable Ml, M2\ and M3 and verifies die validity of the mobile station by comparing variable M2 
received fit)m the mobile station wids variable M2*. 
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